We can invite Patrik Falstrom and have a training session. On 27 May 2016 at 14:56, James Gannon <[log in to unmask]> wrote: > I like that idea. Lets try and gather some info before Helsinki and see if > this is something we need to put time into and where our time is best spent. > > -jg > > > > > On 27/05/2016, 13:55, "Niels ten Oever" <[log in to unmask]> > wrote: > > >Perhaps we can reach out to Michele and see where this is on their > >agenda? Shall I do so? Do other people share this concern? > > > >Cheers, > > > >Niels > > > >On 05/27/2016 02:38 PM, James Gannon wrote: > >> Agreed, so do I see you volunteering to lead this effort? =) > >> Happy to assist/help out where I can! > >> > >> -JG > >> > >> > >> > >> On 27/05/2016, 12:46, "NCSG-Discuss on behalf of Niels ten Oever" < > [log in to unmask] on behalf of [log in to unmask]> > wrote: > >> > >>> Hi Rafik, > >>> > >>> The DNSSEC for Everybody is great and fun, but it's more a very rough > >>> 101. The DNSSEC workshop is also great, but it doesn't help you when > you > >>> are behind a production terminal. Good documentation is needed. Or we > >>> need to find out better why adoption levels are so low. > >>> > >>> Is this something we can bring up? > >>> > >>> I think this is especially an issue for the NCSG because NGO's, > >>> activists and individual users will greatly benefit from increased > >>> trust, and more protection against DNS poisoining. With the enormous > >>> success of Let's Encrypt (1 milltion certs distributed, covering >2.5 > >>> million domains) DNSSEC is the next logical step, and adoption is still > >>> _very_ low. > >>> > >>> Cheers, > >>> > >>> Niels > >>> > >>> > >>> On 05/27/2016 01:34 PM, Rafik Dammak wrote: > >>>> Hi Niels, > >>>> > >>>> ICANN organizes regularly for many years now in each ICANN meeting 2 > >>>> DNSSec sessions related: > >>>> > >>>> * DNSSEC Workshop > >>>> * DNSSEC for Everybody: A Beginner's Guide > >>>> > >>>> there are also also DNSSec session during conferences like African > >>>> Internet Summit (https://internetsummitafrica.org/programme/agenda), > >>>> https://nsrc.org/workshops/2013/nsrc-ati-tn-dnssec/ or ICANN DNS > forum > >>>> . my understanding is that ICANN tech team helped some ccTLD > >>>> operators http://dnssec-africa.org/ > >>>> > >>>> I don't think there are specific activities toward registrars per se. > >>>> > >>>> Best, > >>>> > >>>> Rafik > >>>> > >>>> 2016-05-27 20:21 GMT+09:00 Niels ten Oever < > [log in to unmask] > >>>> <mailto:[log in to unmask]>>: > >>>> > >>>> Hi James, > >>>> > >>>> On 05/26/2016 12:12 PM, James Gannon wrote: > >>>> > No sorry what are the specific issues, i.e. In understanding > the KSK > >>>> > and ZSK keys, in documentation etc? Do DNS engineers at hosting > >>>> > companies really not understand it? > >>>> > > >>>> > Because there is a large amount of documentation out there for > >>>> > example on configuring DNSSEC in Bind and while yes deploying at > >>>> > scale is a risk that registrars would need to analysise and > take an > >>>> > internal risk position on Im not sure I understand the ‘even > the most > >>>> > experienced engineers don’t understand it’ part of the question. > >>>> > > >>>> > The rest I do for sure, adoption of DNSSEC is a big topic, but > there > >>>> > is huge amount son work going on in both ICANN and ISOC > supporting > >>>> > registrars who wish to move down that path in a stable and > secure > >>>> > path. ISOC has documentation specifically targeting at > registrars > >>>> > > http://www.internetsociety.org/deploy360/resources/dnssec-registrars/ > >>>> > I know the RrSG has done some work for ones that are involved in > >>>> > that, there is also Deplay360 from ISOC > >>>> > http://www.internetsociety.org/deploy360/dnssec/ and a lot of > >>>> > community support behind it from a technical perspective for > those > >>>> > interested. > >>>> > > >>>> > >>>> Have been clicking through the ISOC site, but I cannot find a > proper > >>>> how-to or documentation for an indepdendent registrar anywhere. > >>>> > >>>> I think we should push harder for DNSSEC adoption, and ICANN can > and > >>>> should play a role in this imho, why would it be more of an ISOC > task > >>>> than a ICANN task? > >>>> > >>>> > >>>> > My question would be what is the thing that needs to be done to > >>>> > promote adoption, and from what I have seen so far its usually > risk > >>>> > aversion on the business side, and that’s not something that we > can > >>>> > do much about from the ICANN side of things, something I feel > ISOC > >>>> > should focus on more tho. > >>>> > >>>> Business aversion is also because it's hard, and thus will cost > more > >>>> time. Also: more risk because it might break. This does not > balance well > >>>> with the increased trust gained with DNSSEC. We can help tip this > scale > >>>> by making implementation easier through good documentation, no? > Looks > >>>> like an ICANN task par excellence to me! > >>>> > >>>> Cheers, > >>>> > >>>> Niels > >>>> > >>>> > >>>> > > >>>> > -J > >>>> > > >>>> > > >>>> > > >>>> > > >>>> > On 26/05/2016, 11:03, "Niels ten Oever" > >>>> <[log in to unmask] <mailto:[log in to unmask] > >> > >>>> > wrote: > >>>> > > >>>> >> Do you mean you would like to hear names of registrars that are > >>>> >> not offering DNSSEC ? Am afraid it is the majority of the SME > >>>> >> registrars / hosting providers. > >>>> >> > >>>> >> Cheers, > >>>> >> > >>>> >> Niels > >>>> >> > >>>> >> On 05/26/2016 11:57 AM, James Gannon wrote: > >>>> >>> Have you got any specific examples? > >>>> >>> > >>>> >>> > >>>> >>> > >>>> >>> > >>>> >>> On 26/05/2016, 10:50, "NCSG-Discuss on behalf of Niels ten > Oever" > >>>> >>> <[log in to unmask] > >>>> <mailto:[log in to unmask]> on behalf of > >>>> >>> [log in to unmask] > >>>> <mailto:[log in to unmask]>> wrote: > >>>> >>> > >>>> >>>> Hi all, > >>>> >>>> > >>>> >>>> I have been talking to several registrars (especially smaller > >>>> >>>> ones that provide a lot of support to NGOs), that do not > >>>> >>>> provide DNSSEC yet as part of their service. > >>>> >>>> > >>>> >>>> The story that I keep on hearing is that even the most > >>>> >>>> experienced engineers have issues with understanding the > >>>> >>>> configuration of the KSK and Zone signing keys and the key > >>>> >>>> rollover, inconsistencies in documentation and therefore lack > >>>> >>>> of adoption, because in case of a mistake this might > seriously > >>>> >>>> impact the production environment. > >>>> >>>> > >>>> >>>> I think the adoption of DNSSEC is an issue we should care > about > >>>> >>>> because it has the potential to radically increase trust in > the > >>>> >>>> DNS system. > >>>> >>>> > >>>> >>>> Is this an issue you all recognize, and do you know how / if > >>>> >>>> ICANN makes (or can make) this easier? > >>>> >>>> > >>>> >>>> Best, > >>>> >>>> > >>>> >>>> Niels > >>>> >>>> > >>>> >>>> > >>>> >>>> -- Niels ten Oever Head of Digital > >>>> >>>> > >>>> >>>> Article 19 www.article19.org <http://www.article19.org> > >>>> >>>> > >>>> >>>> PGP fingerprint 8D9F C567 BEE4 A431 56C4 678B 08B5 A0F2 > 636D > >>>> >>>> 68E9 > >>>> >>>> > >>>> >> > >>>> >> -- Niels ten Oever Head of Digital > >>>> >> > >>>> >> Article 19 www.article19.org <http://www.article19.org> > >>>> >> > >>>> >> PGP fingerprint 8D9F C567 BEE4 A431 56C4 678B 08B5 A0F2 636D > >>>> >> 68E9 > >>>> > >>>> -- > >>>> Niels ten Oever > >>>> Head of Digital > >>>> > >>>> Article 19 > >>>> www.article19.org <http://www.article19.org> > >>>> > >>>> PGP fingerprint 8D9F C567 BEE4 A431 56C4 > >>>> 678B 08B5 A0F2 636D 68E9 > >>>> > >>>> > >>> > >>> -- > >>> Niels ten Oever > >>> Head of Digital > >>> > >>> Article 19 > >>> www.article19.org > >>> > >>> PGP fingerprint 8D9F C567 BEE4 A431 56C4 > >>> 678B 08B5 A0F2 636D 68E9 > > > >-- > >Niels ten Oever > >Head of Digital > > > >Article 19 > >www.article19.org > > > >PGP fingerprint 8D9F C567 BEE4 A431 56C4 > > 678B 08B5 A0F2 636D 68E9 > -- Farzaneh